Bridge + NAT + Firewall

[KPE]

Hi, I have some problems getting the LXC firewalls managed by Proxmox to work.

This is my pve setup:

auto lo
iface lo inet loopback

iface enp9s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address xxx.xxx.xxx.227/32
        gateway xxx.xxx.xxx.193
        bridge-ports enp9s0
        bridge-stp off
        bridge-fd 1
        pointopoint xxx.xxx.xxx.193
        bridge_hello 2
        bridge_maxage 12

auto vmbr1
iface vmbr1 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

Whenever I enable a LXC firewall on any virtual adapter that connects to the vbmr1 bridge, it seems it blocks all outgoing traffic, even if I add a rule that accepts all in- and outgoing traffic. There are no traces in the firewall logs, so I suspect it's something todo with my interface configuration.

Can anyone tell me what I'm doing wrong?

 

[Kiyo]

I'm having this issue as well, seems disabling the firewall on the individual containers works, but then they lose incoming traffic sometimes

 

[RokaKen]

See the wiki on Network Configuration [0], in particular, the note about "conntrack zones".

[0] https://pve.proxmox.com/wiki/Networ...ith_tt_span_class_monospaced_iptables_span_tt